Skip to content

gemnasium-maven does not support Gradle sub-projects unless build files are named build.gradle

Summary

Our gradle project has a modules directory where each service is a subdirectory. For each service our gradle file is service-name.gradle. The gemnasium maven analyzer produces a report with zero dependencies. If I rename each services service-name.gradle file to build.gradle then the gemnasium-maven analyzer produces a proper report.

See Modifying elements of the project tree in Gradle docs.

See #323921 for supporting custom build filenames at all levels, including in the Gradle root project.

Further details

gemnasium-maven won't scan a Gradle project unless its build file is named build.gradle. This is both because of the rules:exist of the job definition and because of the logic implemented in gemnasium-maven itself, in the gradle "builder".

gemnasium-maven is able to scan a multi-project Gradle build when the parent project has a build.gradle, but sub-projects are ignored unless their build files are also named build.gradle.

Steps to reproduce

  1. create a multi-project Gradle build where the parent has a build.gradle but the children have their build files named differently
  2. enable GitLab Dependency Scanning in the CI configuration file of the GitLab project, and trigger a pipeline
  3. inspect the project dependency list

Example Project

https://github.com/spring-projects/spring-framework/blob/v5.3.4/settings.gradle#L42

gitlab-org/security-products/tests/java-gradle-multimodules!29 (diffs)

What is the current bug behavior?

gemnasium-maven reports no dependencies for the sub-projects where the build file isn't named build.gradle

What is the expected correct behavior?

gemnasium-maven reports dependencies for all Gradle sub-projects, even when the build file isn't named build.gradle

Possible fixes

gemnasium-maven must be changed to scan all gradle-dependencies.json files even if there's no build.gradle file in the corresponding directories.

gemnasium-gradle-plugin might already support sub-projects where the build file isn't named build.gradle. To be checked. See discussion.

Workarounds

Rename the Gradle build files of all sub-projects to build.gradle, and update the settings.gradle of the parent project accordingly.

Edited by Fabien Catteau